The tapes contained Social Security numbers, names, account numbers, and payment histories on customers of CitiFinancial, which provides personal, auto, and home-equity loans. The tapes also contained information on customers with closed accounts from CitiFinancial Retail Services, which provides private-label credit cards for retailers.
The tapes were picked up from a Citigroup data center by UPS Inc. on May 2, bound for a data center in Texas operated by Experian, a credit bureau. Citigroup was notified by Experian on May 20 that the box hadn't arrived; three days later it confirmed that the box was missing, whereupon it notified the Secret Service. UPS hasn't recovered the box, but says there's no indication it was stolen. The tapes were unencrypted; starting next month, the bank will begin sending the data electronically in encrypted form. The decision to do so was made prior to this week's disclosure, a spokesman says.
Banks, like all corporations handling customer data, are under intense pressure to revamp their data-protection policies. Following California's lead, eight states (Arkansas, Florida, Georgia, Indiana, Illinois, Montana, North Dakota, and Washington) as well as New York City have passed notification laws regarding information-security breaches. The patchwork of state laws is driving up compliance costs for companies, says Chris Wolf, partner and head of the privacy and data-security practice at law firm Proskauer Rose LLP. Federal laws now working their way through Congress would pre-empt many of the state laws, easing the compliance burden, he says.
Banks have set a high priority on initiatives related to data security. Banks in the United States will spend $1.6 billion on IT security this year, making up 4.1% of total IT spending, according to research firm Celent Communications. Among the top security budget items are combating insider fraud, achieving compliance, two-factor authentication, awareness and education, and anti-spyware and other tools for preventing malicious attacks.
In light of the disclosures by Citigroup and Bank of America, which reported in February that tapes containing information on 1.2 million customers were lost in transit, banks are likely to accelerate adoption of methods for better securing customer data, such as encrypting all data, tightening physical security, and installing perimeter defenses such as firewalls and intrusion-detection systems.
Still, despite the public brouhaha over customer data protection, it may take banks a while to implement all these changes. "We're looking at a redefinition of processes," says Celent analyst Jacob Jegher. "Big banks have a lot of technology and processes, which take time to change." The practice of externally shipping tapes off-site is still quite common and is unlikely to disappear, he says.